April 2016

Apr 28, 2016

No holds are barred as a freewheeling panel of cryptographers and security pros duke it out with me and the Justice Department over going dark, exceptional access, and the Apple-FBI conflict. Among the combatants: Patrick Henry, a notable cryptographer with experience at GCHQ, NSA, and the private sector;Dan Kaminsky, the Chief Scientist at White Ops;Kiran Raj, who is Senior Counsel to the Deputy Attorney General; and Dr.Zulfikar Ramzanthe CTO of RSA Security. Our thanks toCatherine Lotriontewho generously agreed to let me record this one-hour panel at her remarkable AnnualInternational Conference on Cyber Engagement.

I read an80-page FISA opinionso you don’t have to. One of the technolibertarians’ favorite proposals – requiring warrants for searches of already-collected 702 data – has now been briefed to the court by one of the first FISA amici. And rejected. The argument was slapped down in an opinion by Judge Hogan. In the old days, government critics would have been able to press such an argument for years; now, thanks to the vigilant FISA amici and the transparency in FISA opinions that they cried for, that argument has suffered a body blow before it has even built up a head of steam.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off target and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.

Apr 13, 2016

Steptoe recently held a client briefing in its Palo Alto office to update clients on Chinese legal and regulatory developments affecting US technology companies. I took advantage of the event to sneak in a quick discussion with Susan Munro and Ying Huang of Steptoe's China practice, on how China is regulating the Internet, with special emphasis on data protection, data localization, and more.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The FBI’s reluctance to expose its investigative techniques to the world did not begin with the iPhone, I remind listeners; the Bureaus is fighting a court order demanding that it turn over its Tor exploit source code to a defendant in a child porn case.

And speaking of “privacy” tools that turn out to be mostly boons for criminals, the US government-funded Tor Project is sinking ever deeper into swamps of human depravity. According to Cloudflare, 94 percent of Tor traffic is per se malicious. And according to other sources, most of the remaining 6% is to child porn and other criminal sites. I’m not sure how many more privacy victories like that the tech world can afford. And if you were wondering whether that’s just a one-off, check out the remarkable story of everyone’s favorite encryption program – which it turns out was mostly created by a Deep Nerd who evolved into a no-kidding, murder-for-hire monster. But don’t worry. I’m sure there’s no connection between a burning desire for privacy and a burning desire to do things abhorred by the overwhelming mass of humankind. It’s probably just a coincidence.

As always, the Cyberlaw Podcast welcomes feedback. Send an e-mail to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Apr 04, 2016

I continue to be fascinated by the very early chapters of the Hillary Clinton homebrew email saga. For one simple reason: the clintonemail.com server apparently didn't have the digital certificate needed to encrypt communications until late March 2009 -- more than two months after the server was up and running, and after Secretary Clinton's swearing-in on January 22.

Two questions are raised by this timing: First, why didn't the server have encryption from the start? And second, why did it get encryption in March, at a time when Clinton should have been extraordinarily busy getting up to speed at State, not messing with computer security protocols?

The simplest answer to the first question is that the lack of a certificate was just a mistake. But what about the second? What inspired the Secretary to get an encryption certificate in March when her team hadn't bothered to get one in January or February?

The likely answer to that question is pretty troubling. There now seems to be a very real probability that Hillary Clinton rushed to install an encryption certificate in March 2009 because the U.S. intelligence community caught another country reading Clinton's unencrypted messages during her February 16-21, 2009, trip to China, Indonesia, Japan, and S. Korea.

Even as she kept her homebrew server, Clinton and her staff were fighting to hang on to their Blackberries, just like President Obama. That provoked resistance from the State Department's top security official, Assistant Secretary Eric Boswell. On March 2, he sent the Secretary a memo -- "Use of Blackberries on Mahogany Row” -- declaring that “the vulnerabilities and risks associated with the use of Blackberries in Mahogany Row [the State Department's seventh floor executive offices] considerably outweigh their convenience.”

But what's fascinating and troubling is something else in the correspondence. One staff message says that during Clinton's conversation with Boswell, "her attention was drawn to a sentence that indicates we [the diplomatic security office] have intelligence concerning this vulnerability during her recent trip to Asia."

I am struck by the mix of delicacy and insistence in that phrasing. It seems likely that Clinton's attention was drawn to that sentence because the intelligence was about Secretary Clinton's own communications security, something a discreet diplomat would not want to say directly in written communications. Clinton certainly acted like the intelligence concerned her. She asked Boswell to get her "the information." On March 11, Boswell is told by his staff that the report is already on the classified system, and he is reminded that he had already been briefed on it. Presumably he conveyed it to Clinton soon after March 11.

I suppose this could all be coincidence, but the most likely scenario is that the Secretary's Asia trip produced an intelligence report that was directly relevant to the security of Clinton's communications. And that the report was sufficiently dramatic that it spurred Clinton to make immediate security changes on her homebrew server.

Did our agencies see Clinton's unencrypted messages transiting foreign networks? Did they spot foreign agencies intercepting those messages? It's hard to say, but either answer is bad, and the quick addition of encryption to the server suggests that Clinton saw it that way too.

If that's what happened, it would raise more questions. Getting a digital certificate to support encryption is hardly a comprehensive response to the server's security vulnerabilities. So who decided that that was all the security it needed? How pointed was the warning about her Asia trip? Does it expand the circle of officials who should have known about and addressed the server's insecurity? And why, despite evidence that Clinton was using the server in connection with work in January and February, did Clinton turn over no emails before March 18?

We don't know the answers to those questions, and they may have perfectly good answers. But they do suggest that the investigation should be focusing heavily on who did what to clintonemail.com in January through March of 2009.

Our news roundup concentrates on the draft Senate bill on encryption from Senators Burr and Feinstein. Not surprisingly, I find the critics to be mostly off point and occasionally unhinged in inimitable tech-sector fashion. Sen. Wyden condemns the bill, and no one is surprised. The White House ducks a fight over the legislation, and mostly no one cares any more. I offer the view that as more Silicon Valley firms adopt easy, universal, unbreakable crypto, the tide will slowly turn against them, as the list of crypto victims keeps getting longer.